Advertisement

Advertisement

Your home’s online gadgets could be hacked by ultrasound

Devices can now communicate with each other via ultrasound, as the Internet of Things reaches the next level – but experts warn of security risks.

You really, really want that dress

pixdeluxe/Getty

By Sally Adee

SOMETIMES it feels as if they are watching you. You idly check out some clothes online one morning, and for the rest of the week, they follow you across the internet, appearing in adverts on every website you visit.

That can be spooky enough, but what if those ads could pop out of your browser and hound you across other devices? This is the potential of ultrasound technology potential of ultrasound technology, says Vasilios Mavroudis at University College London – and it offers a new way in for hacking attacks and privacy invasions. He and his colleagues spelled out their concerns at this week’s Black Hat cybersecurity conference in London.

So far, this kind of ultrasound technology has mainly been used as a way for companies to identify and track the people who have seen their ads, like a cross-device cookie. High-frequency audio “beacons” are embedded into TV commercials or browser ads. These sounds, which are inaudible to the human ear, can be picked up by apps on any nearby device that has a microphone. But the technology has many more applications. Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers’ phones as they shop.

Advertisement

“It doesn’t require any special technology,” Mavroudis says. “If you’re a supermarket, all you need are regular speakers.” ultrasound

But there is a privacy risk. In March, the US Federal Trade Commission rapped the knuckles of 12 app developers who used ultrasound for cross-device tracking – even when the apps weren’t turned on. This meant that the apps could collect information about users without them knowing.

“It could be possible for an app to use your phone’s microphone to spy on your conversation“

The software developer providing the ultrasound code quickly withdrew it, but Mavroudis and his colleagues identify other problems with ultrasound-based technologies.

One worry is that these programs may not just be picking up ultrasound. “Any app that wants to use ultrasound needs access to the full range of the microphone,” says Mavroudis. That means it would be possible, in theory, for the app to spy on your conversation.

The ultrasonic audio beacons that these apps pick up can also be spoofed. This means that hackers could create fake beacons to send unwanted or malicious messages to your device, like malware. Mavroudis and his team realised that this would be possible when they found evidence of people trying to cheat prizes out of a shopping rewards app by playing it recordings downloaded from the internet. “That was when we realised how easy it would be to spoof these,” he says.

Ultrasound apps are still niche, but it could be an attractive technology for use in the internet of things, says Mu Mu, a computer scientist at the University of Northampton, UK. Ultrasound is a good candidate for pairing devices that have a speaker and microphone. For example, Google’s Chromecast app uses it to pair your mobile phone with its streaming dongle.

This creates a new channel for hacking attacks against these devices. Ultrasound can’t carry a lot of data, says Mu. “But if you know what you’re doing, just by sending a few bytes, you can hack a system and instruct it to do a lot of things. It doesn’t always take a lot of data to make something bad happen.”

Before ultrasound goes mainstream, Mavroudis says, we must work out how to regulate it and keep it from being hijacked for malicious purposes. “Ultrasound beacons don’t have specs yet,” he says. “There are no rules about how to build or connect ultrasound beacons. This is kind of a grey area where no one wants to take responsibility.”

He and his colleagues are agitating for standards similar to those that exist for Bluetooth. They have also developed countermeasures you can use in the meantime, including an ultrasound-filtering browser extension for Google Chrome that blocks any beacons embedded on a website from sounding. “It’s going to get worse unless we fix it,” says Mavroudis.

This article appeared in print under the headline “Stalked by ultrasound”